Vundo variant hijacks winlogon...

[paulaerison]

Vundo variant hijacks winlogon, blocks and disables automatic updates, root kit dropper with multiple outbound tcpip connections.... sbsd can not remove this.... saymantec fuxvundo can't remove this, mcaffee can't remove this, safe mode can't remove this... it's attacked to winlogon under notify... teatimer doesn't even scan this reg tree so I can't load teatimer in safe mode and walk through and kill the registry entries that WONT DIE...

dll can't be renamed...
hijackthis can't be downloaded because a very official looking window says "windows has identified this program as potentially harmfull and blocked access to it" poof, it's gone.... same with anything I try and download, INCLUDING windows malicious software removal tool... any windows update.... it's all blocked...


ARRRRRGGGHHHH x10

now what? is there a way, so set the registry to BYPASS winlogon and just load command.com or cmd.exe so I can delete the file then reboot into safe mode command prompt and re-run sbsd?

note: sbsd identifies the file every time, even though it keeps changing it's name and CLSID...

"tasklist /m *" shows me the dll('s)... they always havre goofy name and are attached to iexplore, explorer, and winlogon... all three will have the same one attached, as well as iexplore will have 1-3 more... the names are random in appearance.... I've tried adding the CLSID into the BLOCKED section, but apparently when it exits, it takes steps to protect it self with registry monitoring and morphing dll name and CLSID...

any suggestions? (i'm sending this from a different ;read; non-infected, computer)

[paulaerison]

Any ideas short of format C:?

[Blade81]

Hi

Let's see if you can download and run this

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

[paulaerison]

Hi

Let's see if you can download and run this

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

I get a popup that claims to be windows protection and has blocked the file as being protentially harmful...

15 years, i've never been hacked, or gotten a virus I couldn't get rid of... FIFTEEN YEARS... and then I opened what appeared to be a PDF attackemtn from my wife... BAM...

this thing is hooked into winlogon notify... it loads before EVERYTHING I can do, even in safe mode command prompt only... when I delete the registry entry, it poofs back... I thought i'd be clever and reset the registry permissions on that key so it couldn't acces it and re-write itself into the registry... F5 reveals even MORE permiscious permissions {EVERYONE:FULL ACCESS/SYSTEM:FULL ACCESS}... even WORSE that the default...

I am at a loss for a solution save FORMAT C:... I would really rather not if it can be helped.... I have 7 years worth of data on that system and nothing big enough to back it up (dual 280gb hdds)...

it's corrupting access to the FDD, so I can't even create a boot floppy... in safe mode, USB drives don't work... I can't even load it on another system...

this thing is tenatious... sbsd and mcaffee both detect it, and "claim" to have removed it and require a reboot to complete because a file was in use...

reboot -> safe mode command prompt only -> tasklist /m* >tasklist.txt | grep winlogon -> reveals the presence of a gobldygook named dll in sys32 attached to winlogon... again... GRRR....

[paulaerison]

I wonder if I can boot into safe mode network and use file sharing to remotely place the file on the system and then quickly execute it from a command prompt (killing explorer firtst and using taskman to start cmd)... I'm going to try that and let you know.

[paulaerison]

Nope, it's hooked in there too... as soon as I tried to run it, I got the popup.

[paulaerison]

and a bit of judicious scripting, I was able to detatch the DLL from winlogon and re-write the winlogon notify section of the registry to elimitinate it on startup... sbsd and mcaffee were both able to complete without popups (mcaffee I had scan only sys32 & restore to remove the immediate threat, a more thourough scan to follow) wish me luck on a networked reboot... not sure if iexplore will pull in one of it's buddies when I try and download this, but we'll see if I can avoid a reboot, it won't be able to hook back into winlogon, and it will be a child proc of explorer so I can taskkill /f/t/s and it should kill that and everything associated as a child of explorer (including any mal dlls/bhos)... wish me luck..

[paulaerison]

Hi

Let's see if you can download and run this

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

ok, even in safe mode, the "windows security warning" still popped up, I even went so far as to load the internet control palnel and turn off ALL bhos and set security to max... YARG!!!

Soon as I clicked OK, dss.exe went poof... even tried running it directly... is there an FTP link that I can use to download from the command prompt without explorer loaded?

[paulaerison]

ok, even in safe mode, the "windows security warning" still popped up, I even went so far as to load the internet control palnel and turn off ALL bhos and set security to max... YARG!!!

Soon as I clicked OK, dss.exe went poof... even tried running it directly... is there an FTP link that I can use to download from the command prompt without explorer loaded?

killed explorer /t/f and iexplore /t/f... then loaded taskman and re-loaded iexplore... added safer and that tool place to trusted zones... got the popup again, BUT, this time I was able to taskkill /t/f /im iexplore* and it never got the chance to delete the file... WOOT!... now posting main and extra....

[paulaerison]

Deckard's System Scanner v20071014.68
Run by ntadmin on 2008-06-17 08:49:30
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; computer is in safe mode.


-- Last 5 Restore Point(s) --
18: 2008-06-16 14:44:11 UTC - RP421 - Spybot-S&D Spyware removal
17: 2008-06-15 16:41:20 UTC - RP420 - Spybot-S&D Spyware removal
16: 2008-06-15 16:38:36 UTC - RP419 - Spybot-S&D Spyware removal
15: 2008-06-15 15:00:11 UTC - RP418 - Software Distribution Service 3.0
14: 2008-06-15 14:59:07 UTC - RP417 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-05-21 21:47:46 UTC - RP404 - Unsigned driver install


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 384 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-17 08:52:00
Platform: Windows XP Service Pack 3 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\cmd.exe
C:\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&ar=runonce&pver={SUB_PVER}&plcid={SUB_CLSID}
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\dapbho.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E7C50E6-0BBF-4FB9-BB5F-1162FD8924EF} - (no file)
O2 - BHO: (no name) - {1CE2611D-C642-4C15-A505-F6F20FE0F802} - (no file)
O2 - BHO: (no name) - {23577E89-4F44-40FC-9338-4F6FCCD497EB} - (no file)
O2 - BHO: (no name) - {3A41BFF5-8A08-48F3-A2B3-C155360027C0} - (no file)
O2 - BHO: (no name) - {427F6191-E327-4E0D-9F48-D7014D06B696} - (no file)
O2 - BHO: (no name) - {43F550EA-7462-412A-A27D-9644898A48E6} - (no file)
O2 - BHO: (no name) - {4543E828-4EAC-4273-9CBF-71006A8997F2} - (no file)
O2 - BHO: (no name) - {46DD5C71-08CC-4721-BC9F-710B5F0E5E3B} - C:\Windows\system32\geBrOefc.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5EDEE2A6-9EAF-48FB-8782-1F8BA93DB5FF} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - Z:\Sun\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {779F5D7B-85D4-404B-B130-FB2D0EC5CACF} - (no file)
O2 - BHO: (no name) - {7BE0B2EC-8C2E-467A-A500-7594227B18B4} - (no file)
O2 - BHO: (no name) - {7F260734-72A5-46E1-A144-99C714CB0786} - (no file)
O2 - BHO: (no name) - {8649F0BB-AFF8-44B8-9D96-92ED8AF3C6A8} - (no file)
O2 - BHO: (no name) - {96307A53-4723-4931-8625-A5D6A7A82E0D} - (no file)
O2 - BHO: (no name) - {96BBBFB6-9468-4D6F-B204-28290799E441} - (no file)
O2 - BHO: (no name) - {99959CA7-FA15-4A05-9DA7-F5C7A1A3A7BC} - (no file)
O2 - BHO: (no name) - {9E9E6136-D768-41AD-B6A2-BA246664C8E7} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - Z:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {BB828984-0EAA-4878-9EBE-EE61215B4257} - (no file)
O2 - BHO: (no name) - {BC53E890-2693-4906-B6BD-BC2E293079F0} - C:\Windows\system32\tuvTmNHX.dllx (file missing)
O2 - BHO: (no name) - {C1BBCD8C-AF71-4A01-87C5-FAC34E6116A9} - (no file)
O2 - BHO: (no name) - {E2D90E0D-04E2-4CCB-994E-5793A874E07F} - (no file)
O2 - BHO: (no name) - {E6163054-8277-4797-8800-054F53AC3A9B} - (no file)
O2 - BHO: (no name) - {EF6D1649-E2AD-4293-AA11-9224B0FD46BE} - (no file)
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-E22ABC2EED3F} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - Z:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: atfxqogp - {0FAAC4A8-2E74-4D58-9AC0-95201C69185A} - C:\Windows\atfxqogp.dll (file missing)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Jet Detection] "c:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose /waitstart /waitmore
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\Windows\system32\mstask.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA8461] command /c del "C:\WINDOWS\system32\rqRlKCrS.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3304] cmd /c del "C:\WINDOWS\system32\rqRlKCrS.dll_old"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk.disabled = Z:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk.disabled = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoStart IR.lnk.disabled = Z:\Program Files\WinTV\Ir.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk.disabled = ?
O4 - Global Startup: Microsoft Office.lnk.disabled = Z:\Program Files\Office2KPrem\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk.disabled = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Z:\Sun\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Z:\Sun\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://forums.spybot.info (HKCU)
O15 - Trusted Zone: http://www.techsupportforum.com (HKCU)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://download.microsoft.com/downlo...OGAControl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/downlo...eckControl.cab
O16 - DPF: {2703049B-D81D-4763-A3C6-AF8932FCBD8F} (CheckFileStatus.UserControl1) - https://am.hrblock.com/ActivexCompon...FileStatus.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} () - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1099059536327
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1169069644734
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{47ECF58E-EE56-4535-A375-5BCBADE6F9B1}: NameServer = 192.168.64.1
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: tuvTmNHX - C:\Windows\system32\tuvTmNHX.dll (file missing)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll
O21 - SSODL: vregfwlx - {80ADA70D-39D6-4F1B-BC24-2C207A1C87F1} - C:\Windows\vregfwlx.dll (file missing)
O21 - SSODL: vltdfabw - {5B0770DF-9A00-4C14-B1B1-9AC5F2CBDD3F} - C:\Windows\vltdfabw.dll (file missing)
O23 - Service: SunJavaSystemAppserver9PE (AppServer9PE) - Unknown owner - Z:\Sun\SDK\lib\appservService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe


--
End of file - 12181 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Imagedrv - c:\windows\system32\drivers\imagedrv.sys <Not Verified; Ahead Software AG and its licensors; NERO IMAGEDRIVE>
R1 NaiAvTdi1 - c:\windows\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan (Enterprise, ASaP & Retail.)>

S1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys
S2 SVKP - c:\windows\system32\svkp.sys <Not Verified; AntiCracking; SVKP driver for NT>
S3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept>
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 HCWBT8XX (Hauppauge WinTV 848/9 WDM Video Driver) - c:\windows\system32\drivers\hcwbt8xx.sys <Not Verified; Hauppauge Computer Works; WinTV WDM Driver>
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan (Enterprise, ASaP & Retail.)>
S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
S3 vsdatant - c:\windows\system32\vsdatant.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 McAfeeFramework (McAfee Framework Service) - c:\program files\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework>
S2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>
S2 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; CACE Technologies; Remote Packet Capture Daemon>
S3 AppServer9PE (SunJavaSystemAppserver9PE) - z:\sun\sdk\lib\appservservice.exe "\"z:\sun\sdk\bin\asadmin.bat\" start-domain --user admin domain1" "\"z:\sun\sdk\bin\asadmin.bat\" stop-domain domain1\"


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-16 13:40:47 426 --ah---c- C:\Windows\Tasks\User_Feed_Synchronization-{5678D393-1137-432C-86AC-EBF0BB7EA42C}.job
2008-05-30 08:55:34 332 --a----c- C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job


-- Files created between 2008-05-17 and 2008-06-17 -----------------------------

2008-06-17 08:45:11 686630 --a----c- C:\dss.exe
2008-06-17 08:06:10 45 --a----c- C:\Documents and Settings\ntadmin\tl.cmd
2008-06-16 22:38:37 51240 --a----c- C:\OnDemandScanLog_06162008_2237 <ONDEMA~1>
2008-06-16 19:52:00 100 --a----c- C:\ntpass.cmd
2008-06-16 11:02:19 0 d------c- C:\Documents and Settings\ntadmin\Application Data\Identities
2008-06-16 11:02:18 0 d--h---c- C:\Documents and Settings\ntadmin\Templates
2008-06-16 11:02:18 0 dr-----c- C:\Documents and Settings\ntadmin\Start Menu
2008-06-16 11:02:18 0 dr-h---c- C:\Documents and Settings\ntadmin\SendTo
2008-06-16 11:02:18 0 dr-h---c- C:\Documents and Settings\ntadmin\Recent
2008-06-16 11:02:18 0 d--h---c- C:\Documents and Settings\ntadmin\PrintHood
2008-06-16 11:02:18 2359296 --ah----- C:\Documents and Settings\ntadmin\NTUSER.DAT
2008-06-16 11:02:18 0 d--h---c- C:\Documents and Settings\ntadmin\NetHood
2008-06-16 11:02:18 0 dr-----c- C:\Documents and Settings\ntadmin\My Documents
2008-06-16 11:02:18 0 d--h---c- C:\Documents and Settings\ntadmin\Local Settings
2008-06-16 11:02:18 0 dr-----c- C:\Documents and Settings\ntadmin\Favorites
2008-06-16 11:02:18 0 d------c- C:\Documents and Settings\ntadmin\Desktop
2008-06-16 11:02:18 0 d--hs--c- C:\Documents and Settings\ntadmin\Cookies
2008-06-16 11:02:18 0 dr-h---c- C:\Documents and Settings\ntadmin\Application Data
2008-06-15 13:41:26 665 --ahs--c- C:\Windows\system32\SrCKlRqr.ini2
2008-06-15 12:35:55 0 d------c- C:\Documents and Settings\aaerison\Application Data\Macromedia
2008-06-15 12:30:35 93056 --a----c- C:\Windows\system32\hyolsohw.dll
2008-06-15 12:29:26 238802 --ahs--c- C:\Windows\system32\dKnTCcdd.ini2
2008-06-15 12:21:10 0 dr-h---c- C:\Documents and Settings\aaerison\SendTo
2008-06-15 12:21:10 0 dr-h---c- C:\Documents and Settings\aaerison\Recent
2008-06-15 12:21:10 0 d--h---c- C:\Documents and Settings\aaerison\PrintHood
2008-06-15 12:21:10 0 d--h---c- C:\Documents and Settings\aaerison\NetHood
2008-06-15 12:21:10 0 dr-----c- C:\Documents and Settings\aaerison\My Documents
2008-06-15 12:21:10 0 d--h---c- C:\Documents and Settings\aaerison\Local Settings
2008-06-15 12:21:10 0 dr-----c- C:\Documents and Settings\aaerison\Favorites
2008-06-15 12:21:10 0 d------c- C:\Documents and Settings\aaerison\Desktop
2008-06-15 12:21:10 0 d--hs--c- C:\Documents and Settings\aaerison\Cookies
2008-06-15 12:21:10 0 dr-h---c- C:\Documents and Settings\aaerison\Application Data
2008-06-15 12:21:10 0 d---s--c- C:\Documents and Settings\aaerison\Application Data\Microsoft
2008-06-15 12:21:10 0 d------c- C:\Documents and Settings\aaerison\Application Data\Identities
2008-06-15 12:21:09 0 d--h---c- C:\Documents and Settings\aaerison\Templates
2008-06-15 12:21:09 0 dr-----c- C:\Documents and Settings\aaerison\Start Menu
2008-06-15 12:21:09 2097152 --ah----- C:\Documents and Settings\aaerison\NTUSER.DAT
2008-06-14 21:53:17 92544 --a----c- C:\Windows\system32\bujlgvtl.dll
2008-06-13 21:51:07 92544 --a----c- C:\Windows\system32\qrepuvxt.dll
2008-06-13 08:58:55 0 d------c- C:\Windows\Prefetch
2008-06-13 08:08:37 0 d------c- C:\Windows\system32\scripting
2008-06-13 08:08:29 0 d------c- C:\Windows\l2schemas
2008-06-13 08:08:26 0 d------c- C:\Windows\system32\en
2008-06-13 07:46:02 99 --a----c- C:\Documents and Settings\pauld99\rdc.cmd
2008-06-12 21:52:31 93 --a----c- C:\Documents and Settings\pauld99\rundlldead.cmd
2008-06-12 21:47:28 238196 --ahs--c- C:\Windows\system32\cfeOrBeg.ini2
2008-05-30 10:16:38 1542 --ahs--c- C:\Windows\system32\FgQBdMoq.ini2
2008-05-30 09:25:29 0 d------c- C:\Documents and Settings\LocalService\Desktop
2008-05-29 22:02:36 573878 --ahs--c- C:\Windows\system32\npWGNqss.ini2
2008-05-29 14:18:27 577005 --ahs--c- C:\Windows\system32\CdMTuBeg.ini2
2008-05-29 12:51:18 111 --a----c- C:\Documents and Settings\pauld99\regtask.cmd
2008-05-29 12:26:12 691545 --a----c- C:\Windows\unins000.exe
2008-05-29 12:26:12 2542 --a----c- C:\Windows\unins000.dat
2008-05-29 11:35:31 1387 --ahs--c- C:\Windows\system32\bLkkmnnn.ini2
2008-05-29 11:29:47 94208 --a----c- C:\Windows\xmpstean.exe
2008-05-29 11:29:47 163840 --a----c- C:\Windows\egtf.exe
2008-05-29 11:29:47 249856 --a----c- C:\Windows\boqnrwdmmpa.dll
2008-05-22 20:53:33 0 d------c- C:\Program Files\Qimage
2008-05-22 19:32:21 0 d------c- C:\Documents and Settings\pauld99\Application Data\Preclick Photo Organizer
2008-05-22 19:32:07 0 d------c- C:\Program Files\Preclick


-- Find3M Report ---------------------------------------------------------------

2008-06-15 20:45:50 0 d------c- C:\Program Files\Radmin
2008-06-13 08:09:43 0 d------c- C:\Program Files\Messenger
2008-06-13 08:08:23 0 d------c- C:\Program Files\Movie Maker
2008-06-13 08:01:48 0 d------c- C:\Program Files\Windows NT
2008-05-02 10:31:30 0 d------c- C:\Program Files\WatchGuard
2008-04-23 08:01:36 0 d------c- C:\Program Files\DNA


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E7C50E6-0BBF-4FB9-BB5F-1162FD8924EF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1CE2611D-C642-4C15-A505-F6F20FE0F802}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{23577E89-4F44-40FC-9338-4F6FCCD497EB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A41BFF5-8A08-48F3-A2B3-C155360027C0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{427F6191-E327-4E0D-9F48-D7014D06B696}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43F550EA-7462-412A-A27D-9644898A48E6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4543E828-4EAC-4273-9CBF-71006A8997F2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46DD5C71-08CC-4721-BC9F-710B5F0E5E3B}]
C:\Windows\system32\geBrOefc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5EDEE2A6-9EAF-48FB-8782-1F8BA93DB5FF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{779F5D7B-85D4-404B-B130-FB2D0EC5CACF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BE0B2EC-8C2E-467A-A500-7594227B18B4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F260734-72A5-46E1-A144-99C714CB0786}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8649F0BB-AFF8-44B8-9D96-92ED8AF3C6A8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96307A53-4723-4931-8625-A5D6A7A82E0D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96BBBFB6-9468-4D6F-B204-28290799E441}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99959CA7-FA15-4A05-9DA7-F5C7A1A3A7BC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E9E6136-D768-41AD-B6A2-BA246664C8E7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BB828984-0EAA-4878-9EBE-EE61215B4257}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC53E890-2693-4906-B6BD-BC2E293079F0}]
C:\Windows\system32\tuvTmNHX.dllx

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1BBCD8C-AF71-4A01-87C5-FAC34E6116A9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E2D90E0D-04E2-4CCB-994E-5793A874E07F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6163054-8277-4797-8800-054F53AC3A9B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF6D1649-E2AD-4293-AA11-9224B0FD46BE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [08/18/2004 08:00 AM]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [08/06/2004 03:50 AM]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [10/07/2003 09:48 AM]
"nwiz"="nwiz.exe" [08/11/2006 10:43 PM C:\WINDOWS\system32\nwiz.exe]
"Jet Detection"="c:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [11/29/2001 02:00 AM]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [06/02/2003 01:25 PM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [06/03/2007 03:51 PM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [08/31/2007 01:01 PM]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [01/28/2008 11:43 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [08/11/2006 10:43 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [08/11/2006 10:43 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 10:05 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingA8461"=command /c del "C:\WINDOWS\system32\rqRlKCrS.dll_old"
"SpybotDeletingC3304"=cmd /c del "C:\WINDOWS\system32\rqRlKCrS.dll_old"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SchedulingAgent"=C:\Windows\system32\mstask.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk.disabled [2/2/2007 12:53:10 PM]
Adobe Gamma Loader.exe.lnk.disabled [10/10/2006 1:12:01 AM]
AutoStart IR.lnk.disabled [11/29/2006 4:15:20 PM]
HOTSYNCSHORTCUTNAME.lnk.disabled [8/21/2007 9:21:26 PM]
Microsoft Office.lnk.disabled [2/22/2007 4:35:19 PM]
WinZip Quick Pick.lnk.disabled [1/19/2007 1:30:26 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPublishingWizard"=0 (0x0)
"NoWebServices"=0 (0x0)
"NoOnlinePrintsWizard"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BC53E890-2693-4906-B6BD-BC2E293079F0}"= C:\Windows\system32\tuvTmNHX.dllx [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vregfwlx"= {80ADA70D-39D6-4F1B-BC24-2C207A1C87F1} - C:\Windows\vregfwlx.dll [ ]
"vltdfabw"= {5B0770DF-9A00-4C14-B1B1-9AC5F2CBDD3F} - C:\Windows\vltdfabw.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\Windows\System32\dimsntfy.dll

this is the one right here that I could not unload
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvTmNHX]
tuvTmNHX.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\rqRlKCrS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"eMuleAutoStart"=Z:\Program Files\eMule\emule.exe -AutoStart
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Nero DriveSpeed"=C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
"NeroCheck"=C:\Windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

8751 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-17 08:56:28 ------------